1. Field of the Invention
The present invention relates generally to the field of credit card security, and more particularly to a bio-metric smart card, a bio-metric smart card reader and a method of use for the card and reader.
2. Description of the Related Art
Recent innovations have brought significant security-related advances to the credit card, debit card, and consumer banking industries. In the 1980s, holographic images were introduced and included on plastic card faces to deter the manufacture of counterfeit cards. More recently, some cards have been adapted to include a photograph of the authorized user, thereby obviating the need for a purchaser to present separate identification and decreasing the likelihood of fraud. Most recently, smart cards, also known as personal data cards or chip cards, which include a memory chip integral with the card, now provide additional security features.
Despite these advances, the industry remains burdened by a considerable fraud problem. Credit card theft and fraud accounts for billions of dollars in damages a year in the U.S. alone, with billions more being lost overseas. Holographic images do nothing to deter the unauthorized use of a genuine card and new technology has made them easier to copy. Sub-thumbnail sized photos on cards are often too small for careful examination by store clerks, and like holograms, cannot be viewed during online or telephone-based transactions. And smart cards provide no new security features unless used across a new breed of card-reading infrastructure, which will cost hundreds of millions of dollars to install. Moreover, like the other new technologies described above, smart cards do not address online and telephonic sales scenarios wherein the merchant lacks the ability to examine the actual card. Perhaps most importantly, since smart cards are not compatible with the existing card-reading infrastructure they do not address the near term needs of the industry and the massive on-going losses caused by fraudulent use.
Referring to FIG. 1, there is illustrated an available system 100 for credit card processing. On a credit or debit card 110 there is permanently displayed on a front face surface 112 a multi-(typically sixteen) digit number representative of the card holder""s debit or credit account. Also displayed on the surface 112 are the expiration date and card holder""s name. A magnetic strip (not shown) is typically found on the back surface of card 110 and contains at least the information displayed on the front surface 112. To process a transaction using the card 110, a seller might use a magnetic strip reader 120 (such as available from Magtec, Inc.) by sliding the upper portion of card 110 through slot 122 to read the information stored within the magnetic strip. After the information is forwarded across network 125 to a financial institution or credit card authorization service, along with data about the requested transaction, a returned authorization number or denial message is displayed across display area 124. In the alternative, the user might read aloud over a telephone connection or otherwise transmit the account number, name and expiration information to a seller, who requests a transaction authorization from a central transaction authority across network 125.
In the above-described available transaction process, while recent security advances do provide some crime protection, there is still far more opportunity than desirable for deception and fraud. Specifically, if the card is lost or stolen the thief or finder of the lost card might use the card for fraudulent purchases. Also, if a thief finds or steals a receipt or similar record listing the card number and other card information found in field 112, that information might be fraudulently used for online or telephonic transactions.
There is therefore a need in the art for a new fraud-preventive system and method, which is compatible with the existing infrastructure, and can be used securely for remote, telephonic, or Internet-based transactions.
In general, the present invention is a system for increasing transaction security across existing credit card processing infrastructure. A user bio-metric sensor device is integrated into a credit or debit xe2x80x9csmart cardxe2x80x9d. A display unit provides a key, preferably encrypted, upon successful utilization of the sensor device. Included in the key generation mechanism is an indicator of the transaction number or other sequential count indicative of card use. An authorization service decrypts the key in a manner at least partially dependent upon a second sequential count maintained in sync with the first count to determine whether the use is authorized. A separate reader may be similarly configured to read existing smart cards utilizing the process the present invention.
In one embodiment, the present invention is a smart card style apparatus including a bio-metric sensor providing the user an authentication data input for proving the user is authorized to use the account number, a transaction counter for tracking authorized device access events, a processor in electrical communication with the user authenticator and counter, wherein the processor is programmed to generate a security key in response to authentication data received via the sensor, and a display unit to display the security key on the face of the card. The security key is derived at least in part from the contents of the counter. In another embodiment, the present invention is configured as a portable reader for reading and authorizing purchases using existing smart cards. The present invention may also be configured as a peripheral device to a computer system.
According to the present invention, a method of securely authorizing a transaction utilizing an account comprises confirming an authorized use of an account card via a bio-metric sensor, maintaining a first count indicative of a number of instances of such authorized uses, generating a security key in a manner at least partially dependent upon the count, transmitting the security key to an authorizing authority, processing the security key at the authorizing authority, maintaining a second count indicative of a number of transmissions received by the authorizing authority for the account, confirming that the security key was generated by an authorized user at least in part through use of the first count and the second count, and authorizing the transaction if the security key is validated.